01-20-2011 03:15 PM - edited 03-06-2019 03:06 PM
Hi,
I am attempting to set of a Site-to-Site VPN between a Cisco 1720 and a Cisco 861. The 1720 is equipped with the VPN module. I followed a tutorial, that was virtually identical to another tutorial that I found. Here are the steps that I followed:
PART 1:
router(config)#crypto isakmp policy 10
router(config-isakmp)#hash sha
router(config-isakmp)#authentication pre-share
router(config-isakmp)#crypto isakmp key thevpnkeytobeshared address 192.168.16.105
PART 2:
router(config)#crypto ipsec transform-set vpnset esp-aes esp-sha-hmac
router(cfg-crypto-trans)#exit
router(config)#crypto map vpnset 10 ipsec-isakmp
% NOTE: This new crypto map will remain disabled until a peer
and a valid access list have been configured.
router(config-crypto-map)#set peer 192.168.16.105
router(config-crypto-map)#set transform-set vpnset
router(config-crypto-map)#match address 100
APPLY TO OUTSIDE INTERFACE:
router(config)#int f4
router(config-if)#crypto map vpnset
MAKE ACCESS LIST:
router(config)#access-list 100 permit ip <local network> 0.0.0.255 <remote network> 0.0.0.255
I repeated the steps on the second router and waited expectantly... Nothing...
I tried to ping an address behind the remote router and got nothing.
Both routers' outside interfaces are pingable by each other. Both are also working normally and passing traffic from internal hosts to the outside.
Here are the configs for each:
CISCO 1720 ROUTER CONFIG:
Current configuration : 2038 bytes
!
! Last configuration change at 17:58:39 UTC Mon May 17 2010 by admin
! NVRAM config last updated at 15:54:54 UTC Mon May 17 2010 by admin
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CISCO1720
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$weoa$3vN7NzLwnTFaU/rJLDWg21
enable password password789
!
username admin password 0 ciscossh
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa session-id common
ip subnet-zero
!
!
ip domain name CISCO1720.com
ip dhcp excluded-address 192.168.1.1 192.168.1.50
!
ip dhcp pool dpool1
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 208.67.222.222 208.67.220.220
domain-name CISCO1720.com
!
ip cef
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key trytofigurethisoneout911 address 55.55.55.101
!
!
crypto ipsec transform-set vpnset esp-3des esp-sha-hmac
!
crypto map vpnset 10 ipsec-isakmp
set peer 55.55.55.101
set transform-set vpnset
match address 100
!
!
!
interface Loopback0
ip address 192.168.1.2 255.255.255.0
ip nat inside
shutdown
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface Ethernet0
ip address 55.55.55.100 255.255.255.0
ip nat outside
full-duplex
crypto map vpnset
!
interface FastEthernet0
ip address 192.168.1.1 255.255.255.0
ip nat inside
speed auto
full-duplex
!
ip nat inside source list 1 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
ip http server
ip http secure-server
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 10.200.200.0 0.0.0.255
!
!
line con 0
line aux 0
line vty 0 4
password bigpassword1
transport input ssh
!
!
end
CISCO 861 ROUTER CONFIG:
Current configuration : 3602 bytes
!
! Last configuration change at 08:31:08 UTC Mon Mar 1 1993 by admin
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CISCO800
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$0DEM$qqjEmA8yd5mGWZhrfBMsy1
enable password password789
!
no aaa new-model
memory-size iomem 10
!
!
ip source-route
!
!
ip dhcp excluded-address 10.200.200.1 10.200.200.100
!
ip dhcp pool dpool1
import all
network 10.200.200.0 255.255.255.0
dns-server 208.67.222.222 208.67.220.220
domain-name CISCO800.com
default-router 10.200.200.1
!
!
ip cef
ip domain name CISCO800.com
!
!
username admin password 0 ciscossh
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key trytofigurethisoneout911 address 55.55.55.100
!
!
crypto ipsec transform-set vpnset esp-3des esp-sha-hmac
!
crypto map vpnset 10 ipsec-isakmp
set peer 55.55.55.100
set transform-set vpnset
match address 100
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
ip address 55.55.55.101 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpnset
!
interface Vlan1
ip address 10.200.200.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip http server
ip http secure-server
!
ip dns server
ip nat inside source list 1 interface FastEthernet4 overload
ip default-network 55.55.55.0
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
access-list 1 permit 10.200.200.0 0.0.0.255
access-list 100 permit ip 10.200.200.0 0.0.0.255 192.168.1.0 0.0.0.255
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login local
transport input ssh
!
scheduler max-task-time 5000
end
The tunnel just won't build itself. I noticed when I was reviewing my configs that I was using AES, and my 1720 does not support it, so I change that in both routers. The above configs are what is currently running. Any help would be greatly appreciated.
Solved! Go to Solution.
01-20-2011 03:25 PM
I see you are using NAT,
It is important to disable NAT for VPN traffic,
Remove:
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface Ethernet0 overload
Add:
access-list 101 deby ip 192.168.1.0 0.0.0.255 10.200.200.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list 101 interface Ethernet0 overload
01-20-2011 03:26 PM
On a quick look on the configuration, you are missing NAT Exempt for the VPN traffic.
Check this example copied from the below mentioned link :-
Make sure that your device is configured to use the NAT Exemption ACL. On a router, this means that you use the route-map command. On the PIX or ASA, this means that you use the nat (0) command. A NAT exemption ACL is required for both LAN-to-LAN and Remote Access configurations.
Here, an IOS router is configured to exempt traffic that is sent between 192.168.100.0 /24 and 192.168.200.0 /24 or 192.168.1.0 /24 from NAT. Traffic destined for anywhere else is subject to NAT overload:
access-list 110 deny ip 192.168.100.0 0.0.0.255
192.168.200.0 0.0.0.255
access-list 110 deny ip 192.168.100.0 0.0.0.255
192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.100.0 0.0.0.255 any
route-map nonat permit 10
match ip address 110
ip nat inside source route-map nonat interface FastEthernet0/0 overload
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
Thanks
Manish
01-20-2011 03:25 PM
I see you are using NAT,
It is important to disable NAT for VPN traffic,
Remove:
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface Ethernet0 overload
Add:
access-list 101 deby ip 192.168.1.0 0.0.0.255 10.200.200.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list 101 interface Ethernet0 overload
01-20-2011 03:58 PM
Thank you. I made the changes that you said, and when I pinged, the tunnel came up. However the ping still dropped 100%. I am not able to ping the interfaces or client computers on the inside of the opposite router. Any further suggestions?
01-20-2011 04:24 PM
Jack,
Did you made changes on one router only ?
if yes then : -
1> Make similar changes on other router as well
Remove:
access-list 1 permit 10.200.200.0 0.0.0.255
ip nat inside source list 1 interface FastEthernet4 overload
Add:
access-list 101 deny ip 10.200.200.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 10.200.200.0 0.0.0.255 any
ip nat inside source list 101 interface FastEthernet4 overload
If you have already done that , then check for firewall/iptables on the host machines.
Manish
01-20-2011 04:31 PM
If you have have changed both sides and still have the problem,
Need to post below debug commands when try to ping th other side:
debug crypto ipsec
debug crypto isakmp
and then
u all
debug ip icmp
01-21-2011 07:42 AM
This was my mistake. The tunnel was fine, but I had no hosts plugged into the ethernet interface. So the pings from that interface would not work, since it was down.
I set a loopback interface on each router and updated the access lists to match. It worked immediately. Thanks for your help.
01-20-2011 03:26 PM
On a quick look on the configuration, you are missing NAT Exempt for the VPN traffic.
Check this example copied from the below mentioned link :-
Make sure that your device is configured to use the NAT Exemption ACL. On a router, this means that you use the route-map command. On the PIX or ASA, this means that you use the nat (0) command. A NAT exemption ACL is required for both LAN-to-LAN and Remote Access configurations.
Here, an IOS router is configured to exempt traffic that is sent between 192.168.100.0 /24 and 192.168.200.0 /24 or 192.168.1.0 /24 from NAT. Traffic destined for anywhere else is subject to NAT overload:
access-list 110 deny ip 192.168.100.0 0.0.0.255
192.168.200.0 0.0.0.255
access-list 110 deny ip 192.168.100.0 0.0.0.255
192.168.1.0 0.0.0.255
access-list 110 permit ip 192.168.100.0 0.0.0.255 any
route-map nonat permit 10
match ip address 110
ip nat inside source route-map nonat interface FastEthernet0/0 overload
http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
Thanks
Manish
01-21-2011 07:43 AM
Thanks for your help. Especially for the reference material on this topic.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide